Brute force attack behavior identification method, device, equipment, medium and program product

By setting fake passwords and similarity parameters to simulate login response delays, low-frequency, long-term credential stuffing attacks can be identified, solving the problem of low identification accuracy in existing technologies and achieving higher identification accuracy and a lower false negative rate.

CN120498816BActive Publication Date: 2026-06-26CHINA UNIONPAY

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA UNIONPAY
Filing Date
2025-06-04
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

Existing technologies struggle to accurately identify low-frequency, long-term credential stuffing attacks. Attackers disguise these attacks as low-frequency, long-term normal login activities by reducing the frequency of attempts from a single IP address, thus lowering the accuracy of identification.

Method used

By setting a target fake password, calculating the similarity parameter between the login input password and the fake password, simulating the login response delay, and inducing attackers to continuously try to approximate the fake password, abnormal behavior can be identified by the changes in the similarity parameter of multiple login requests.

Benefits of technology

It improves the accuracy of identifying credential stuffing attacks, reduces the false negative rate, decreases the misjudgment of legitimate users, extends the attack cycle, and increases the cost of attacks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN120498816B_ABST
    Figure CN120498816B_ABST
Patent Text Reader

Abstract

The application discloses a password-cracking attack behavior identification method, device, equipment, medium and program product, and belongs to the field of information security protection. The method comprises the following steps: receiving a login request message for requesting to log in to a target account, wherein the login request message comprises a target username and a login input password, and the target username corresponds to the target account; in the case that the login input password is inconsistent with the account password of the target account, calculating a similarity parameter of the login input password and a target pseudo password preset for the target account, wherein the target pseudo password is different from the account password; determining a response delay time length based on the similarity parameter, and feeding back a login response message according to the response delay time length; in the case that the change of the similarity parameters corresponding to multiple login request messages for logging in to the target account meets a preset abnormality identification condition, it is determined that there is a password-cracking attack behavior for logging in to the target account. According to the embodiment of the application, the identification accuracy of the password-cracking attack behavior can be improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application belongs to the field of information security protection, and in particular relates to a method, device, equipment, medium and program product for identifying credential stuffing attack behavior. Background Technology

[0002] A credential stuffing attack is a type of cyberattack where attackers use leaked usernames and password combinations to attempt to log in to websites or services in bulk. Specifically, attackers can use automated tools to try logging in to a website one username and password combination after another. If a login is successful, the attacker can obtain the user's account information on that website, causing a wider leak of the user's privacy information.

[0003] Because credential stuffing attacks typically involve batch login attempts, they occur frequently within a short period. Such attacks can be identified by setting thresholds for the number of login attempts or login frequency. However, to circumvent these detection methods, attackers reduce the frequency of attempts using a single Internet Protocol (IP) address, disguising the attack as a low-frequency, long-term normal login operation. This bypasses the detection of credential stuffing attacks and reduces the accuracy of their identification. Summary of the Invention

[0004] This application provides a method, apparatus, device, medium, and program product for identifying credential stuffing attacks, which can improve the accuracy of identifying credential stuffing attacks.

[0005] In a first aspect, embodiments of this application provide a method for identifying credential stuffing attacks, comprising: receiving a login request message requesting login to a target account, the login request message including a target username and a login password, the target username corresponding to a target account; if the login password does not match the account password of the target account, calculating a similarity parameter between the login password and a pre-set target pseudo-password for the target account, the target pseudo-password being different from the account password; determining a response delay duration based on the similarity parameter, and feeding back a login response message according to the response delay duration; and determining that a credential stuffing attack exists when the changes in the similarity parameters corresponding to multiple login request messages for the target account meet preset anomaly identification conditions.

[0006] Secondly, embodiments of this application provide a credential stuffing attack behavior identification device, comprising: a receiving module, configured to receive a login request message requesting login to a target account, the login request message including a target username and a login password, the target username corresponding to a target account; a similarity calculation module, configured to calculate a similarity parameter between the login password and a pre-set target pseudo-password for the target account when the login password is inconsistent with the account password of the target account, the target pseudo-password being different from the account password; a response duration determination module, configured to determine a response delay duration based on the similarity parameter and feed back a login response message according to the response delay duration; and a behavior determination module, configured to determine the existence of a credential stuffing attack behavior targeting the target account when the changes in the similarity parameter corresponding to multiple login request messages targeting the target account meet preset abnormal identification conditions.

[0007] Thirdly, embodiments of this application provide a credential stuffing attack behavior identification device, including: a processor and a memory storing computer program instructions; the processor implements the credential stuffing attack behavior identification method of the first aspect when executing the computer program instructions.

[0008] Fourthly, embodiments of this application provide a computer-readable storage medium storing computer program instructions, which, when executed by a processor, implement the credential stuffing attack behavior identification method of the first aspect.

[0009] Fifthly, embodiments of this application provide a computer program product, including a computer program, which, when executed by a processor, implements the credential stuffing attack behavior identification method of the first aspect.

[0010] This application provides a method, apparatus, device, medium, and program product for identifying credential stuffing attacks. When the login password entered in a login request message for a target account does not match the target account's actual password (i.e., the account password), a similarity parameter between the entered password and the target fake password can be calculated. Based on this similarity parameter, the response delay of the feedback login response message is determined to simulate the impact of the difference between the entered password and the account password on the response delay, thus inducing the attacker to continuously invest resources to approximate the target fake password as the account password. Furthermore, based on the changes in the similarity parameter corresponding to multiple login request messages for the target account within a preset time period, it is determined whether the multiple login request messages conform to the attacker's behavior of continuously trying to approximate the target fake password. If the changes in the similarity parameter meet the anomaly identification conditions, a credential stuffing attack is determined to exist. This method can identify low-frequency, long-term credential stuffing attacks, thereby reducing the false negative rate of credential stuffing attacks, reducing false positives for legitimate users, and improving the accuracy of identifying credential stuffing attacks. Attached Figure Description

[0011] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments of this application will be briefly introduced below. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0012] Figure 1 A flowchart illustrating a method for identifying credential stuffing attack behavior according to an embodiment of this application;

[0013] Figure 2 A schematic diagram illustrating an example of a visualization report provided in an embodiment of this application;

[0014] Figure 3 A flowchart illustrating an example of the credential stuffing attack behavior identification process provided in this application embodiment;

[0015] Figure 4 This is a schematic diagram of the structure of a database breach attack identification device provided in an embodiment of this application;

[0016] Figure 5 This is a schematic diagram of the structure of a database attack detection device provided in an embodiment of this application. Detailed Implementation

[0017] The features and exemplary embodiments of various aspects of this application will be described in detail below. To make the objectives, technical solutions, and advantages of this application clearer, the application will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are only intended to explain this application and not to limit it. For those skilled in the art, this application can be implemented without some of these specific details. The following description of the embodiments is merely to provide a better understanding of this application by illustrating examples. It should be noted that the acquisition, storage, use, and processing of information and data in the embodiments of this application are all authorized by users or relevant organizations and comply with the relevant provisions of national laws and regulations.

[0018] A credential stuffing attack is a type of cyberattack where attackers use automated tools to try and log in to a website using collected usernames and passwords. If a login is successful, the attacker gains access to the user's account information, leading to a wider leak of the user's privacy. To identify credential stuffing attacks, thresholds such as login attempt count or login frequency can be preset. If the number of logins exceeds the threshold or the login frequency exceeds the threshold within a short period, it can be considered a credential stuffing attack. However, to circumvent this detection method, attackers reduce the frequency of attempts from a single IP address, disguising the credential stuffing attack as low-frequency, long-term normal login operations, thus bypassing the detection and reducing the accuracy of credential stuffing attack identification.

[0019] This application provides a method, apparatus, device, medium, and program product for identifying credential stuffing attacks. It can design a fake password trap mechanism, which induces attackers to form a unique probing-correction behavior trajectory during low-frequency, long-term continuous login attempts by simulating the progressive response feedback of a login system. This probing-behavior trajectory can be identified during long-term login attempts, thereby identifying low-frequency, long-term credential stuffing attacks, improving the accuracy of credential stuffing attack identification, and strengthening the precise identification and effective control of credential stuffing attacks.

[0020] The following describes the method, apparatus, equipment, media, and program products for identifying credential stuffing attacks provided in this application.

[0021] This application provides a method for identifying credential stuffing attacks, which can be applied to scenarios where user logins are monitored. This method can be executed by a user login system, which can be implemented as a credential stuffing attack identification device or equipment, etc., and is not limited thereto. Figure 1 A flowchart of a method for identifying credential stuffing attack behavior provided in an embodiment of this application is shown below. Figure 1 As shown, the method for identifying credential stuffing attacks may include steps S101 to S104.

[0022] In step S101, a login request message requesting to log in to the target account is received.

[0023] The target account is the account to be logged into. The target account can include accounts for applications, mini-programs, etc., and can also include payment accounts; this is not limited here. The login request message is used to request login to the target account, including the target username and login password. Different accounts correspond to different usernames, and the target username corresponds to the target account. The target username includes the username obtained based on the user's input. For example, the target username can be the username entered by the user in the username input box, or the username selected by the user from the username drop-down list; the method of user input is not limited here. The login password is the password entered by the user and carried in the login request message.

[0024] In some examples, the login request message may also include, but is not limited to, one or more of the following: the IP address that sent the login request message, the device identification information of the device that sent the login request message, and the time when the login request message was sent. The device identification information is used to identify the device that sent the login request message; for example, the device identification information may include, but is not limited to, device code, device fingerprint information, etc.

[0025] In step S102, if the login password does not match the target account's password, the similarity parameter between the login password and the target pseudo password pre-set for the target account is calculated.

[0026] The login password may or may not match the target account's password. First, compare the login password with the target account's password. If the login password matches, the likelihood of the logged-in user being the target account is high, and you can either allow the login directly or continue with user authentication; there's no fixed option. If the login password doesn't match, it's possible the target account user accidentally entered the wrong password, or it could be an attacker launching a credential stuffing attack. Further processing is needed to determine which scenario is correct.

[0027] A fake password can be pre-set for the target account; different target accounts can use different fake passwords. The fake password is different from the account password. It's a fake password for the target account; using the fake password will not allow login, while the account password will. The purpose of setting a fake password is to lure attackers into using login passwords similar to the fake password in low-frequency, long-term credential stuffing attacks, thus facilitating the identification of the attacker's credential stuffing attack. The fake password can be randomly generated. In some examples, encryption algorithms can be used to generate random strings as the fake password; for example, the Advanced Encryption Standard (AES) algorithm can be used. To ensure the security of the account password (which is the real password), the fake password can be encrypted and stored in a separate database completely isolated from the database containing the account password, thus preventing account password leakage.

[0028] The similarity parameter between the login password and the target pseudo password can characterize the similarity between them. The similarity parameter may include, but is not limited to, one or more of the following parameters: cosine similarity, edit distance (Levenshtein distance), Jacard similarity, Hamming distance, longest common subsequence similarity, N-Gram similarity, and Jaro-Winkler similarity. Other similarity parameters that can characterize similarity are also within the scope of protection of this application's embodiments.

[0029] In step S103, the response delay duration is determined based on the similarity parameter, and the login response message is fed back according to the response delay duration.

[0030] Traditional user login processes do not involve a target fake password; they only compare the user's entered password with the target account's password. During this comparison, the degree of difference between the entered password and the account password affects the delay in the login response message sent to the user. For example, if the comparison is digit-by-digit, the earlier the number of different characters in the entered password and account password appears, the shorter the delay. Attackers might exploit this, judging the similarity between the entered password and account password based on the delay in receiving the login response message, updating the entered password, resending the login request message, and repeating the process until the user's account is compromised. This application's embodiments utilize this principle by setting a target fake password and adjusting the response delay of the login response message based on the similarity between the entered password and the target fake password. This simulates the impact of the difference between the entered password and the account password on the response delay, causing attackers to treat the target fake password as the account password and continuously invest resources to try and approximate it. The login response message is a pair of feedback messages that accompany the login request message. The login response message can include the login result, which may be login successful or login failed. A response delay can be inserted before sending the login response message; that is, wait for the specified delay before sending the login response message.

[0031] In some examples, the response delay is positively correlated with the similarity represented by the similarity parameter. That is, the higher the similarity represented by the similarity parameter, the longer the response delay, in order to simulate the impact of the difference between the login input password and the account password on the response delay of the feedback login response message.

[0032] In step S104, if the changes in the similarity parameters corresponding to multiple login request messages of the target account meet the preset anomaly identification conditions, it is determined that there is a credential stuffing attack on the target account.

[0033] If a credential stuffing attack is detected targeting a specific account, the changes in the similarity parameters of multiple login request messages over a long period will follow a certain pattern. Anomaly detection conditions can be pre-set based on the attacker's pattern of continuously investing resources to approximate the target's fake password as the account's actual password. That is, the anomaly detection conditions can include information depicting the attacker's pattern of continuously investing resources to approximate the target's fake password. By analyzing the changes in the similarity parameters of multiple login request messages targeting the account, the long-term behavior of the target account can be revealed. Analyzing this long-term login behavior reduces reliance on high-frequency request detection mechanisms and lowers the computational resource consumption of the user login system. If the changes in the similarity parameters meet the anomaly detection conditions, it indicates that multiple login request messages within a preset time period were sent by the attacker, constituting a credential stuffing attack, thus confirming the existence of a credential stuffing attack targeting the account. In response to the confirmation of a credential stuffing attack targeting the account, appropriate security measures can be taken promptly to protect the target account's security. For example, security measures may include, but are not limited to, one or more of the following: locking the target account, sending alert messages to the real user of the target account, and sending alert messages to the administrators who log in to the system.

[0034] In some examples, the login request message may include, but is not limited to, one or more of the following: the IP address sending the login request message, the device identification information of the device sending the login request message, and the time when the login request message was sent. The IP address, device identification information, and time when the login request message is sent can be used as contextual information for similarity parameters to determine whether a credential stuffing attack has occurred. For example, if an IP address sends login request messages more frequently than a preset normal frequency within a short period, it can be considered a credential stuffing attack; if a device fingerprint is associated with multiple different IP addresses in multiple login request messages, it can be considered a credential stuffing attack; if multiple IP addresses send login request messages requesting login to the same target account within a short period, it can be considered a credential stuffing attack. Abnormal IP addresses and abnormal devices can also be identified based on the IP address, device fingerprint, etc., in login request messages identified as credential stuffing attacks for subsequent tracing.

[0035] In this embodiment, when the login password entered in the login request message requesting login to the target account is inconsistent with the actual password of the target account (i.e., the account password), a similarity parameter between the login password entered and the target pseudo password of the target account can be calculated. Based on this similarity parameter, the response delay of the feedback login response message is determined to simulate the impact of the difference between the login password entered and the account password on the response delay of the feedback login response message, thus inducing the attacker to continuously invest resources to try and approximate the target pseudo password by treating it as the account password. Furthermore, based on the changes in the similarity parameter corresponding to multiple login request messages for logging into the target account within a preset time period, it is determined whether the multiple login request messages conform to the attacker's behavior of continuously trying to approximate the target pseudo password. If the changes in the similarity parameter conform to the attacker's behavior of continuously trying to approximate the target pseudo password, i.e., if the changes in the similarity parameter meet the anomaly identification conditions, it is determined that a credential stuffing attack has occurred. This method can identify low-frequency, long-term credential stuffing attacks, thereby reducing the false negative rate of credential stuffing attacks, decreasing false positives for legitimate users, improving the accuracy of credential stuffing attack identification, extending the attack cycle, increasing the attacker's cost, and reducing the success rate of credential stuffing attacks. Simultaneously, it can reduce reliance on high-frequency login request detection mechanisms, lower the computational resource consumption of the user login system, and support seamless integration with existing password verification systems.

[0036] In some embodiments, the similarity parameter between the login input password and the target pseudo-password can be determined by combining two aspects of similarity. Specifically, a first similarity parameter can be determined based on the operations required to convert the login input password into the target pseudo-password; a second similarity parameter can be determined based on the length of the matching prefixes of the login input password and the target pseudo-password; and the first and second similarity parameters are combined to obtain the final similarity parameter.

[0037] The first similarity parameter characterizes the minimum number of operations required to convert the login password into the target pseudo-password. The smaller the minimum number of operations required, the more similar the login password and the target pseudo-password are. The operations required to convert the login password into the target pseudo-password may include, but are not limited to, character deletion, character addition, and character replacement operations. In some examples, the first similarity parameter can be calculated using dynamic programming. This involves sequentially obtaining the minimum number of operations required to convert the first i characters of the login password into the first j characters of the target pseudo-password, until the minimum number of operations is obtained. Here, i represents any character in the login password, and j represents any character in the target pseudo-password. The minimum number of operations required to convert the first i characters of the login password into the first j characters of the target pseudo-password is based on the conversion between the first i-1 characters of the login password and the first j-1 characters of the target pseudo-password. For example, the login password is string s1, and the target pseudo password is string s2. String s1 includes m characters, and string t1 includes n characters. A two-dimensional matrix can be used to represent the minimum number of operations required to convert the first i characters of the login password into the first j characters of the target pseudo password. Any element d[i][j] in this two-dimensional matrix represents the minimum number of operations required to convert the first i characters of the login password into the first j characters of the target pseudo password. It should be noted that the character numbers in strings s1 and t1 can start from 0, that is, the characters in string s1 include characters s[0] to s[m-1], and the characters in string t1 include characters t[0] to t[n-1]. The first similarity parameter can be calculated according to the following formula (1):

[0038]

[0039] Where d(i,j) is the minimum number of operations required to convert the first i characters of the login password into the first j characters of the target pseudo password; s[i-1] is the (i-1)th character in string s1, and t[i-1] is the (j-1)th character in string t1; if character s[i-1] is the same as character t[i-1], then d(i,j) = d(i-1,j-1); if character s[i-1] is different from character t[i-1], then d(i,j) is the minimum among d(i-1,j)+1, d(i,j-1)+1, and d(i-1,j-1)+1. The values ​​d(i-1,j)+1 represent the number of operations required to convert the first i characters of the login password into the first j characters of the target pseudo-password. d(i,j-1)+1 represents the number of operations required to convert the first i characters of the login password into the first j characters of the target pseudo-password. d(i-1,j-1)+1 represents the number of operations required to convert the first i characters of the login password into the first j characters of the target pseudo-password. Through this iterative calculation, d(m,n) can be calculated as the minimum number of operations required to convert the login password into the target pseudo-password.

[0040] Normalization can convert the minimum number of operations required to convert the login password into the target pseudo-password into a value between 0 and 1, for subsequent similarity parameter calculation. The specific method of normalization is not limited here; any normalization method that converts the minimum number of operations into a value between 0 and 1 is within the protection scope of this application's embodiments. For example, the longer of the login password's length and the target pseudo-password's length can be obtained, the ratio of the minimum number of operations to the longer length can be calculated, and the difference between 1 and this ratio can be determined as the first similarity parameter.

[0041] The second similarity parameter characterizes the length of the match between the login password and the target pseudo-password. The longer the match length, the more similar the login password is considered to be. The matching prefix includes consecutive identical characters in both the login password and the target pseudo-password starting from the first character; that is, the matching prefix includes the characters before the first differing character in the character order of the login password and the target pseudo-password. Mechanisms that derive similarity from matching length are more likely to encourage attackers to probe. Combining the second similarity with the first similarity allows us to consider the impact of different characters appearing at the beginning of the string on the similarity score. For example, if the target pseudo-password is "abcdef", and one login password is "ab*def" and another is "a*cdef", both login passwords have the same first similarity to the target pseudo-password. However, considering the matching prefix, the login password "ab*def" is generally considered closer to the target pseudo-password "abcdef" than the login password "a*cdef".

[0042] In some examples, consecutive characters that are identical from the first character of the login password and the target pseudo-password can be identified as a matching prefix; the longer of the length of the login password and the length of the target pseudo-password is taken, and the ratio of the length of the matching prefix to the longer one is determined as the second similarity parameter. The length here can be specified down to the number of characters.

[0043] For example, the second similarity parameter can be calculated according to the following formula (2):

[0044]

[0045] Where Prefix_similarity is the second similarity parameter; prelen is the length of the matching prefix; len(s) is the length of the login input password; len(target) is the length of the target pseudo password; and max() is the maximum value algorithm.

[0046] The similarity parameter can be obtained by combining the first similarity parameter and the second similarity parameter. In some examples, the product of the first similarity parameter and the second similarity parameter can be used as the similarity parameter. For example, the similarity parameter can be calculated according to the following formula (3):

[0047] Similarity=d(m,n)×Prefix_similarity (3)

[0048] Wherein, Similarity is the similarity parameter; d(m,n) is the first similarity parameter; and Prefix_similarity is the second similarity parameter. The specific contents of the first and second similarity parameters can be found in the relevant descriptions in the above embodiments, and will not be repeated here. The value of the first similarity parameter is between 0 and 1, the value of the second similarity parameter is between 0 and 1, and correspondingly, the value of the similarity parameter is also between 0 and 1.

[0049] In some examples, weight coefficients can be set for the first similarity parameter and the second similarity parameter respectively, and the similarity parameter can be calculated using a weighted algorithm.

[0050] When the similarity parameter is between 0 and 1, a similarity parameter of 0 indicates that the login password and the target pseudo-password do not match at all, while a similarity parameter of 1 indicates that the login password and the target pseudo-password match perfectly. If the length of the matching prefix between the login password and the target pseudo-password is relatively long and the minimum number of operations required to convert the login password to the target pseudo-password is small, the similarity parameter is close to 1, meaning that the login password and the target pseudo-password are very similar, close to a perfect match. If the length of the matching prefix between the login password and the target pseudo-password is relatively short or even 0, or if the minimum number of operations required to convert the login password to the target pseudo-password is relatively large, the similarity parameter is close to 0, meaning that the login password and the target pseudo-password are very similar.

[0051] In some embodiments, a gradient mapping relationship between similarity parameters and gradient delay duration can be preset. The gradient mapping relationship includes the correspondence between similarity parameters and delay duration. In the gradient mapping relationship, the similarity represented by the similarity parameter increases by a preset similarity step, and the delay duration increases by a preset duration step. The similarity step and duration step can be set according to the scenario, requirements, experience, etc., and are not limited here. For example, the similarity step is 0.1 and the duration step is 100 milliseconds, that is, for every 0.1 increase in the similarity parameter, the delay duration increases by 100 milliseconds. After determining the response delay duration corresponding to the similarity parameter obtained in this calculation, the delay duration corresponding to the calculated similarity parameter is found in the preset gradient mapping relationship, and the found delay duration is determined as the response delay duration. For example, if for every 0.1 increase in the similarity parameter, the delay duration increases by 100 milliseconds, the response delay duration can be calculated according to the following formula (4), which can also be regarded as the model of the gradient mapping relationship:

[0052] response_time=base_response_time+(Similarity×1000) (4)

[0053] Among them, response_time is the response delay duration; base_response_time is the base response duration, which can be set according to the scenario, requirements, experience, etc. For example, the base response time can be 0 milliseconds or other values, which are not limited here; Similarity is the similarity parameter.

[0054] The response delay duration is determined by gradient mapping, and the login response message is fed back according to the response delay duration. This ensures login security while avoiding interference with normal user operations, thus balancing login defense capabilities, user login system efficiency, and user experience.

[0055] In some embodiments, the anomaly identification conditions in the above embodiments may include: the similarity represented by the similarity parameter monotonically increases and gradually converges; or, the similarity represented by the similarity parameter monotonically increases until it represents that the login input password is consistent with the target fake password. The characteristic of the similarity represented by the similarity parameter monotonically increasing is consistent with the characteristic of an attacker gradually trying to make the login input password approximate the target fake password. Moreover, in the early stages of a credential stuffing attack, the change in similarity is large, but as the inducement mechanism of the target fake password in this embodiment gradually takes effect, the change in the similarity represented by the similarity parameter will gradually decrease, reflecting that the attacker's behavior pattern tends to stabilize. Therefore, if the similarity represented by the similarity parameter monotonically increases and gradually converges, it can be determined that a credential stuffing attack has occurred. The monotonically increasing similarity represented by the similarity parameter until the login input password is consistent with the target fake password indicates that the attacker has repeatedly tried to approximate and crack the target fake password, thus confirming the existence of a credential stuffing attack.

[0056] The trend of similarity, as represented by the similarity parameter, can be determined by linear regression. For example, the linear regression model is as follows (5):

[0057] s i =α+βi+ε i (5)

[0058] Among them, s i The dependent variable is α, which can be a similarity parameter; β is the intercept term; β is the slope parameter; i is the independent variable, which can be the position of the similarity parameter in the time series; ε i This represents the error term. If the slope parameter β in the linear regression model is greater than 0, it indicates that the similarity parameter, representing similarity, is monotonically increasing.

[0059] The convergence of similarity parameters refers to the gradual convergence of similarity to a certain value or a stable state. The convergence can be determined by calculating the rate of change between two consecutive similarity parameters. If, over a period of time, the rate of change between two consecutive similarity parameters gradually decreases to below a preset rate of change threshold, the convergence of similarity parameters can be determined. The rate of change threshold can be set according to the scenario, requirements, experience, etc., and is not limited here. For example, the rate of change threshold can be 0.01. For example, the rate of change between two consecutive similarity parameters can be calculated according to the following formula (6):

[0060] rate(i) = |(s i+1 -s i ) / s i | (6)

[0061] Where rate(i) is the rate of change between two consecutive similarity parameters; s i+1 The similarity parameter obtained in the next iteration; s i This refers to the similarity parameters obtained in the previous test.

[0062] In some embodiments, a sliding time window algorithm can be used to analyze the changes in similarity parameters. Specifically, in login request messages where the input password does not match the account password and are received in chronological order, a time window can be moved according to a preset time step. The average similarity is obtained based on the similarity parameters corresponding to the login request messages in the time window after each time window movement. The changes in the similarity parameters are determined based on the average similarity obtained after multiple time window movements. The time window can be set according to specific scenarios, needs, experience, etc., and includes a fixed number of similarity parameters. The preset time step can be consistent with the interval between two adjacent received login request messages. The time window can be slid in real time. For example, each time a new login request message for a target account is received, the similarity parameter corresponding to that login request message is calculated, the time window is moved once, so that the last data in the time window corresponds to the similarity parameter corresponding to the latest login request message, and the average similarity of the similarity parameters in the time window is calculated. Alternatively, for a series of similarity parameters within a preset time period that have already been obtained, the time window can be gradually slid until the last data in the time window corresponds to the similarity parameter corresponding to the latest login request message, and the average similarity of the similarity parameters in the time window is calculated. By calculating the average similarity of similarity parameters within a time window, the trend of continuous similarity parameters can be smoothed and analyzed. For example, the average similarity of similarity parameters within a time window can be represented by the following equation (7):

[0063]

[0064] Where window_avg(i) is the average similarity; s k Let i be the k-th similarity parameter; w is the length of the time window, i.e., the number of similarity parameters contained in the time window; w≤i≤n, where n is the total number of similarity parameters.

[0065] If the average similarity value corresponding to a time window gradually increases, it indicates that the similarity represented by the similarity parameter is improving. If the average similarity value corresponding to a time window gradually decreases, it indicates that the similarity represented by the similarity parameter is decreasing. If the average similarity value corresponding to a time window still fluctuates significantly, further smoothing processing can be performed to smooth out the fluctuations. Smoothing processing methods may include, but are not limited to, weighted moving average processing and exponential smoothing processing.

[0066] Based on similarity analysis using a sliding time window, the changing trends of continuous similarity parameters can be smoothed and analyzed, allowing for dynamic adjustment of the response time extension of login response messages according to the similarity parameters.

[0067] In some embodiments, the severity of a credential stuffing attack can be determined based on the magnitude of the similarity represented by the similarity parameter, thereby adjusting the security strategy. The similarity parameter can be positively correlated with the similarity. That is, the larger the similarity parameter, the higher the similarity; the smaller the similarity parameter, the lower the similarity. If the similarity parameter is greater than a first threshold, a CAPTCHA verification process is added and executed; if the similarity parameter is greater than a second threshold, the target account is locked for a preset lock duration; if the similarity parameter is greater than a third threshold, an alarm notification message is sent, and the target account is locked until the account administrator unlocks it. The specific values ​​of the first, second, and third thresholds, as well as the preset lock duration, can be set according to the scenario, requirements, etc., and are not limited here. For example, the first threshold is 0.5, the second threshold is 0.8, and the third threshold is 0.9. That is, if the similarity parameter is greater than 0.5, a verification code verification process can be added to send a verification code to the real user of the target account to prompt the real user to enter the verification code for verification. If the login request message is sent by the attacker, the attacker will not be able to receive the verification code and will not be able to pass the verification code verification, thus protecting the login security of the target account. If the similarity parameter is greater than 0.8, the target account can be locked for 1 hour. If the similarity parameter is greater than 0.9, an alarm message can be sent to the administrator and the target account can be locked. There is no time limit for locking the target account here, and the target account can only log in again after the administrator unlocks the target account.

[0068] The above-mentioned tiered dynamic defense strategy can strengthen the security protection of user login and improve the security of user data.

[0069] In some embodiments, identified credential stuffing attacks can be recorded and security reports generated. Specifically, information related to each login attempt associated with a credential stuffing attack can be recorded, such as login request time, IP address, device fingerprint, and similarity parameters. Visual reports can also be generated, such as displaying attacker behavior patterns and trends in similarity parameters, allowing administrators and users to intuitively understand how credential stuffing attacks manifest. Security reports may also record alert messages and implemented protective measures.

[0070] For example, Figure 2 A schematic diagram illustrating an example of a visualization report provided in an embodiment of this application, such as... Figure 2 As shown, the curves of similarity parameters corresponding to the login request messages of User 1, User 2, and User 3 are displayed, along with the warning threshold line and the alarm threshold line. Figure 2 The x-axis represents time, and the y-axis represents the similarity parameter, which is positively correlated with the similarity score. The three green dashed lines represent the linear regression lines for the similarity parameter curves of user 1, user 2, and user 3, respectively. Figure 2 It can be seen that the slope of the linear regression fitting line of the similarity parameter curve for User 1 is almost 0, the similarity parameter curve for User 1 is converging, and the similarity parameter curve for User 1 is above the warning threshold, indicating a possible credential stuffing attack. Further observation or consideration of the previous trend of the similarity parameter curve for User 1 is needed to determine whether a credential stuffing attack has occurred, but warning measures should be taken for User 1. The slope of the linear regression fitting line of the similarity parameter curve for User 1 is greater than 0. The similarity parameter curve for User 2 is increasing, and the similarity parameter is close to 1 in the later stages. The similarity parameter curve for User 2 is partially above the warning threshold, and even partially above the alert threshold, indicating a possible credential stuffing attack. Warning and alert measures should be taken for User 2. The slope of the linear regression fitting line of the similarity parameter curve for User 3 is less than 0. The similarity parameter curve for User 3 is decreasing, and the similarity parameter curve for User 3 is below the warning threshold, indicating no credential stuffing attack. No warning or alert measures are needed for User 3.

[0071] For ease of understanding, the following example illustrates the process for identifying credential stuffing attacks in this application. Figure 3 This is a flowchart illustrating an example of a credential stuffing attack identification process provided in an embodiment of this application. The credential stuffing attack can be executed by a user logging into the system, such as... Figure 3 As shown, the process for identifying credential stuffing attacks may include steps a1 to a10.

[0072] In step a1, a login request message is received.

[0073] In step a2, the account password verification process is performed. This process compares the login password entered in the login request message with the target account's actual password, i.e., the account password.

[0074] In step a3, if the login password matches the account password, a login response message is returned normally.

[0075] In step a4, if the login password does not match the account password, the similarity between the login password and the target pseudo password is calculated. The similarity can be represented by a similarity parameter.

[0076] In step a5, the behavioral data corresponding to each login request message is recorded. This behavioral data may include, but is not limited to, similarity parameters, IP address, device fingerprint information, login request time, and login account.

[0077] In step a6, long-term behavioral analysis is performed on the login target account. This long-term behavioral analysis may include obtaining information on changes in similarity parameters.

[0078] In step a7, an anomaly is detected. Anomaly detection is performed by checking if changes in the similarity parameter meet the anomaly identification criteria. If the changes in the similarity parameter meet the anomaly identification criteria, an anomaly is determined to have occurred; if the changes in the similarity parameter do not meet the anomaly identification criteria, no anomaly is determined to have occurred. If no anomaly is found, proceed to step a3; if an anomaly is found, it is considered that a credential stuffing attack has occurred, and proceed to step a8.

[0079] In step a8, a stepped response duration strategy is executed. The stepped response duration strategy includes finding the response delay duration corresponding to the similarity parameter from a stepped gradient mapping relationship based on the similarity parameter, and feeding back the login response message according to the response delay duration.

[0080] In step a9, the credential stuffing attack behavior is recorded and a security report is generated.

[0081] In step a10, the credential stuffing attack behavior is monitored and alerted.

[0082] The specific details of steps a1 to a10 above can be found in the relevant descriptions in the above embodiments, and will not be repeated here.

[0083] This application also provides a device for identifying credential stuffing attack behavior. Figure 4 This is a schematic diagram of the structure of a credential stuffing attack behavior identification device provided in an embodiment of this application, as shown below. Figure 4 As shown, the credential stuffing attack behavior identification device 200 may include a receiving module 201, a similarity calculation module 202, a response time determination module 203, and a behavior determination module 204.

[0084] The receiving module is used to receive login request messages for the target account. The login request message includes the target username and the login password. The target username corresponds to the target account.

[0085] The similarity calculation module is used to calculate the similarity parameter between the login password and the pre-set target pseudo password for the target account when the login password does not match the account password of the target account. The target pseudo password is different from the account password.

[0086] The response duration determination module determines the response delay duration based on the similarity parameter and feeds back the login response message according to the response delay duration;

[0087] The behavior determination module is used to determine whether there is a credential stuffing attack on the target account when the changes in similarity parameters corresponding to multiple login request messages of the target account meet preset anomaly identification conditions.

[0088] In some embodiments, the similarity calculation module 202 may be specifically used to: determine a first similarity parameter based on the operation required to convert the login input password into a target pseudo password; determine a second similarity parameter based on the length of the matching prefix between the login input password and the target pseudo password; and perform comprehensive processing on the first similarity parameter and the second similarity parameter to obtain a similarity parameter.

[0089] In some examples, the similarity calculation module 202 can be specifically used to: obtain the minimum number of operations required to convert the first i characters of the login input password into the first j characters of the target pseudo password, until the minimum number of operations required to convert the login input password into the target pseudo password is obtained. The minimum number of operations required to convert the first i characters of the login input password into the first j characters of the target pseudo password is obtained based on the conversion between the first i-1 characters of the login input password and the first j-1 characters of the target pseudo password, where i is any character in the login input password and j is any character in the target pseudo password; and normalize the minimum number of operations required to convert the login input password into the target pseudo password to obtain the first similarity parameter.

[0090] In some examples, the similarity calculation module 202 may be specifically used to: identify consecutive characters that are identical to the login input password and the target pseudo password starting from the first character as a matching prefix; obtain the greater of the length of the login input password and the length of the target pseudo password, and determine the ratio of the length of the matching prefix to the greater of the lengths as a second similarity parameter.

[0091] In some embodiments, the response delay duration is positively correlated with the similarity represented by the similarity parameter.

[0092] In some embodiments, the response duration determination module 203 may be specifically used to: find the delay duration corresponding to the calculated similarity parameter in a preset gradient mapping relationship, and determine the found delay duration as the response delay duration. The gradient mapping relationship includes the correspondence between the similarity parameter and the delay duration. In the gradient mapping relationship, the similarity represented by the similarity parameter is increased by a preset similarity step, and the delay duration is increased by a preset duration step.

[0093] In some embodiments, the anomaly identification conditions include: the similarity represented by the similarity parameter increases monotonically and gradually converges; or, the similarity represented by the similarity parameter increases monotonically until it represents that the login input password is consistent with the target fake password.

[0094] In some embodiments, the similarity calculation module 202 can also be used to: move the time window according to a preset time step in the login request messages received in chronological order where the login input password does not match the account password; obtain the average similarity based on the similarity parameter corresponding to the login request message in the time window after each time window movement; and determine the change of the similarity parameter based on the average similarity obtained after multiple time window movements.

[0095] In some embodiments, the similarity parameter is positively correlated with the similarity. The credential stuffing attack identification device 200 may further include a security policy module. The security policy module may be used to: if the similarity parameter is greater than a first threshold, add and execute a CAPTCHA verification process; if the similarity parameter is greater than a second threshold, control the target account to lock for a preset lock duration; if the similarity parameter is greater than a third threshold, send an alarm notification message and lock the target account until the account administrator unlocks it; wherein the first threshold is less than the second threshold, and the second threshold is less than the third threshold.

[0096] It should be noted that the device 500 for accessing virtual reality conferences is a device corresponding to the method for accessing virtual reality conferences described above. All implementation methods in the above method embodiments are applicable to the embodiments of this device and can achieve the same technical effect.

[0097] This application also provides a device for identifying credential stuffing attack behavior. Figure 5 This is a schematic diagram of the structure of a credential stuffing attack behavior identification device provided in an embodiment of this application, as shown below. Figure 5 As shown, the credential stuffing attack identification device 300 includes a memory 301, a processor 302, and a computer program stored on the memory 301 and capable of running on the processor 302.

[0098] In some examples, the processor 302 described above may include a central processing unit (CPU), or an application-specific integrated circuit (ASIC), or one or more integrated circuits that may be configured to implement the embodiments of this application.

[0099] Memory 301 may include read-only memory (ROM), random access memory (RAM), disk storage media device, optical storage media device, flash memory device, electrical, optical, or other physical / tangible memory storage device. Therefore, typically, memory includes one or more tangible (non-transitory) computer-readable storage media (e.g., memory devices) encoded with software including computer-executable instructions, and when the software is executed (e.g., by one or more processors), it is operable to perform the operations described with reference to the credential stuffing attack behavior identification method according to embodiments of this application.

[0100] The processor 302 reads the executable program code stored in the memory 301 to run the computer program corresponding to the executable program code, so as to implement the credential stuffing attack behavior identification method in the above embodiment.

[0101] In some examples, the credential stuffing attack detection device 300 may also include a communication interface 303 and a bus 304. For example, Figure 5 As shown, the memory 301, processor 302, and communication interface 303 are connected through bus 304 and complete communication with each other.

[0102] The communication interface 303 is mainly used to realize communication between various modules, devices, units and / or equipment in the embodiments of this application. Input devices and / or output devices can also be connected through the communication interface 303.

[0103] Bus 304 includes hardware, software, or both, that couples the components of credential stuffing attack detection device 300 together. For example, and not as a limitation, bus 304 may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a Hyper Transport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an Infinite Bandwidth Interconnect, a Low Pin Count (LPC) bus, a memory bus, a Micro Channel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-E) bus, a Serial Advanced Technology Attachment (SATA) bus, a Video Electronics Standards Association Local Bus (VLB) bus, or other suitable buses, or a combination of two or more of these. Where appropriate, bus 304 may include one or more buses. Although specific buses are described and illustrated in the embodiments of this application, this application considers any suitable bus or interconnection.

[0104] This application also provides a computer-readable storage medium storing computer program instructions. When these computer program instructions are executed by a processor, they can implement the credential stuffing attack identification method described in the above embodiments and achieve the same technical effect. To avoid repetition, further details are omitted here. The aforementioned computer-readable storage medium may include non-transitory computer-readable storage media, such as read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks, etc., and is not limited thereto.

[0105] This application also provides a computer program product, which includes a computer program. When the computer program is executed by a processor, it implements the credential stuffing attack behavior identification method in the above embodiments and can achieve the same technical effect. To avoid repetition, it will not be described again here.

[0106] It should be clarified that the various embodiments in this specification are described in a progressive manner, and the same or similar parts between the various embodiments can be referred to mutually. Each embodiment focuses on describing the differences from other embodiments. For the device embodiments, equipment embodiments, computer-readable storage medium embodiments, and computer program product embodiments, the relevant parts can be referred to the description section of the method embodiments. This application is not limited to the specific steps and structures described above and shown in the figures. Those skilled in the art can make various changes, modifications, and additions, or change the order of steps, after understanding the spirit of this application. Furthermore, for the sake of brevity, detailed descriptions of known methods and techniques are omitted here.

[0107] The aspects of this application have been described above with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It should be understood that each block in the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing apparatus to produce a machine such that these instructions, executable via the processor of the computer or other programmable data processing apparatus, enable the implementation of the functions / actions specified in one or more blocks of the flowchart illustrations and / or block diagrams. Such a processor can be, but is not limited to, a general-purpose processor, a special-purpose processor, a special application processor, or a field-programmable logic circuit. It is also understood that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can also be implemented by dedicated hardware performing the specified functions or actions, or can be implemented by a combination of dedicated hardware and computer instructions.

[0108] Those skilled in the art will understand that the above embodiments are exemplary and not restrictive. Different technical features appearing in different embodiments can be combined to achieve beneficial effects. Based on a study of the drawings, specification, and claims, those skilled in the art should be able to understand and implement other variations of the disclosed embodiments. In the claims, the term "comprising" does not exclude other means or steps; the quantifier "a" does not exclude a plurality; the terms "first" and "second" are used to identify names and not to indicate any particular order. No reference numerals in the claims should be construed as limiting the scope of protection. The functionality of multiple parts appearing in the claims can be implemented by a single hardware or software module. The appearance of certain technical features in different dependent claims does not mean that these technical features cannot be combined to achieve beneficial effects.

Claims

1. A method for identifying credential stuffing attack behavior, characterized in that, include: Receive a login request message for a target account, the login request message including the target username and a login password, the target username corresponding to the target account; If the login password does not match the account password of the target account, calculate the similarity parameter between the login password and a pre-set target pseudo password for the target account, wherein the target pseudo password is different from the account password; Based on the similarity parameter, the response delay duration is determined, and the login response message is fed back according to the response delay duration; If the changes in the similarity parameters corresponding to multiple login request messages for the target account meet preset anomaly identification conditions, it is determined that a credential stuffing attack has occurred to log in to the target account.

2. The method according to claim 1, characterized in that, The calculation of the similarity parameter between the login input password and the target pseudo password pre-set for the target account includes: Determine the first similarity parameter based on the operation required to convert the login password into the target pseudo password; The second similarity parameter is determined based on the length of the matching prefix between the login password and the target pseudo password; The first similarity parameter and the second similarity parameter are combined to obtain the similarity parameter.

3. The method according to claim 2, characterized in that, The step of determining the first similarity parameter based on the required operation of converting the login input password into the target pseudo password includes: The minimum number of operations required to convert the first i characters of the login password into the first j characters of the target pseudo password is obtained one by one, until the minimum number of operations required to convert the login password into the target pseudo password is obtained. The minimum number of operations required to convert the first i characters of the login password into the first j characters of the target pseudo password is obtained based on the conversion between the first i-1 characters of the login password and the first j-1 characters of the target pseudo password, where i is any character in the login password and j is any character in the target pseudo password. The minimum number of operations required to convert the login password into the target pseudo password is normalized to obtain the first similarity parameter.

4. The method according to claim 2, characterized in that, The step of determining the second similarity parameter based on the length of the matching prefix between the login input password and the target pseudo password includes: The matching prefix is ​​defined as the consecutive characters that are identical from the first character onwards between the login password and the target pseudo password. The longer of the length of the login input password and the length of the target pseudo password is obtained, and the ratio of the length of the matching prefix to the longer one is determined as the second similarity parameter.

5. The method according to claim 1, characterized in that, The response delay duration is positively correlated with the similarity represented by the similarity parameter.

6. The method according to claim 1, characterized in that, The step of determining the response delay duration based on the similarity parameter includes: In the preset gradient mapping relationship, the delay duration corresponding to the calculated similarity parameter is found, and the found delay duration is determined as the response delay duration. The gradient mapping relationship includes the correspondence between the similarity parameter and the delay duration. In the gradient mapping relationship, the similarity represented by the similarity parameter is increased by a preset similarity step, and the delay duration is increased by a preset duration step.

7. The method according to claim 1, characterized in that, The anomaly identification conditions include: The similarity parameter represents a similarity that increases monotonically and gradually converges. or, The similarity parameter represents a monotonically increasing similarity until it indicates that the login input password is consistent with the target pseudo password.

8. The method according to claim 1, characterized in that, Also includes: In the login request messages received in chronological order where the login input password does not match the account password, the time window is moved according to a preset time step. The average similarity is obtained based on the similarity parameter corresponding to the login request message in the time window after each time window shift; The changes in the similarity parameter are determined based on the average similarity obtained after multiple time window shifts.

9. The method according to claim 1, characterized in that, The similarity parameter is positively correlated with the similarity. The method further includes: If the similarity parameter is greater than the first threshold, then add and execute the CAPTCHA verification process; If the similarity parameter is greater than the second threshold, the target account is locked for a preset lock duration. If the similarity parameter is greater than the third threshold, an alarm notification message is sent and the target account is locked until the account manager unlocks it. Wherein, the first threshold is less than the second threshold, and the second threshold is less than the third threshold.

10. A device for identifying credential stuffing attack behavior, characterized in that, include: The receiving module is used to receive a login request message that requests login to a target account. The login request message includes a target username and a login password, and the target username corresponds to the target account. The similarity calculation module is used to calculate the similarity parameter between the login input password and the target account's pre-set target pseudo password when the login input password is inconsistent with the target account's account password, wherein the target pseudo password is different from the account password; The response duration determination module determines the response delay duration based on the similarity parameter and feeds back the login response message according to the response delay duration; The behavior determination module is used to determine that there is a credential stuffing attack behavior to log in to the target account when the changes in the similarity parameters corresponding to multiple login request messages of the target account meet preset anomaly identification conditions.

11. A device for identifying credential stuffing attack behavior, characterized in that, include: Processor and memory storing computer program instructions; When the processor executes the computer program instructions, it implements the credential stuffing attack behavior identification method as described in any one of claims 1 to 9.

12. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer program instructions, which, when executed by a processor, implement the credential stuffing attack behavior identification method as described in any one of claims 1 to 9.

13. A computer program product, characterized in that, The method includes a computer program that, when executed by a processor, implements the credential stuffing attack behavior identification method according to any one of claims 1 to 9.